Back
Technology

Microsoft April 2026 Patch Tuesday Addresses 167 Vulnerabilities Including Actively Exploited Flaw

View source

Microsoft April 2026 Patch Tuesday: 167 Vulnerabilities Patched, One Exploited in the Wild

Microsoft released its monthly security updates on April 14, 2026, addressing 167 vulnerabilities across its product portfolio. The company reported that one vulnerability has been exploited in the wild and another has been publicly disclosed. Microsoft assessed 19 of the vulnerabilities as more likely to see future exploitation.

Separately from the Patch Tuesday count, Microsoft has provided patches for 80 browser-related vulnerabilities this month, including a batch of 60 patches released in a single day last week, which Microsoft stated was a new record for that category. Microsoft Edge is based on the Chromium engine, and Chromium maintainers acknowledged researchers for the vulnerabilities Microsoft republished last Friday.

Key Vulnerabilities

CVE-2026-32201: SharePoint Spoofing Vulnerability (Exploited in the Wild)

  • Type: Spoofing vulnerability
  • CWE-20: Improper Input Validation
  • Impact: Low impact to confidentiality and integrity, no impact to availability
  • Status: Microsoft confirmed exploitation in the wild
  • Patches: Available for all supported versions, including SharePoint 2016, which moves beyond extended support on July 14, 2026

CVE-2026-33825: Microsoft Defender Local Privilege Escalation (Publicly Disclosed)

  • Type: Local privilege escalation
  • Impact: Successful exploitation leads to SYSTEM privileges
  • Status: Publicly disclosed; not reported as exploited
  • Mitigation: The Microsoft Defender Antimalware Platform updates automatically by default; systems with disabled Microsoft Defender are not in an exploitable state

CVE-2026-33824: Windows IKE Services Remote Code Execution (Critical)

  • Type: Unauthenticated remote code execution
  • CVSS: Rated as critical
  • Exploitation: Requires sending specially crafted packets to a Windows machine with IKE v2 enabled
  • Affected Versions: All Windows versions back to Server 2016 and Windows 10 1607 LTSC
  • Mitigation: Advisory includes guidance for restricting relevant UDP traffic for systems that cannot be patched immediately
  • Credits: The advisory credits both the WARP and MORSE (Microsoft Offensive Research & Security Engineering) teams at Microsoft, marking the first explicit mention of WARP in a Microsoft security advisory acknowledgments section

Product Lifecycle Updates

Extended Support Ended (April 14, 2026)

Extended support ended for the following legacy enterprise tools:

  • Dynamics C5 2016
  • Dynamics NAV 2016
  • App-V 5.0 and 5.1
  • UE-V 2.1
  • BitLocker Administration and Monitoring 2.5 SP1

.NET 9 Support Extension

Microsoft .NET 9 Standard Term Support (STS) end-of-support was extended by six months from May 2026 to November 10, 2026.